Logo
Contact us

COSA DATA PRIVACY POLICY

Last Updated: 26th May, 2025

Introduction

African Coalition on Spyware and Surveillance Accountability ("we", "our", or "us") is committed to the safeguarding of digital rights, including the right to privacy, freedom of expression, and protection against unlawful surveillance. In keeping with this objective, we are equally committed to ensuring the lawful, transparent and secure handling of personal data entrusted to us.

This Data Privacy Policy ("Policy") outlines how we collect, use, disclose and protect personal data in accordance with applicable laws, including but not limited to the Nigeria Data Protection Act 2023 (NPDA), the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), the General Data Protection Regulation (GDPR), and other relevant frameworks.

Scope of Application

This Policy applies to all personal data processed through our website, mobile application, and Self-diagnosis toolkit, and to any person whose data we collect in the course of our work, including researchers, human right defenders, journalists, civil society organizations and members of the public.

Principles of Data Processing

We are governed by the principles of transparency, fairness and lawfulness in our processing of personal data. Data processed is minimized, stored and handled with accuracy, accountability, integrity and confidentiality, and is limited to purpose.

Categories of Data Collected

When you visit our website, you may provide us with personal information like your name (anonymous contributions are permissible), contact details, and organizational affiliation (if applicable), email address, user-submitted spyware reports (only with consent or under secure handling protocols), support requests. This category of data is supplied by the user voluntarily.

Our website automatically collects the following data:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Log data, including timestamps and accessed pages
  • Cookies and tracking technologies for analytics and functionality

Purposes of Processing

We collect and process personal data solely for the following purposes:

  1. To operate, maintain and improve the services and to secure our website and digital platforms
  2. To receive and process information relating to digital rights violations; responding to user inquiries, feedback or support requests
  3. To engage with civil society, media and legal stakeholders in tackling the issues around spyware & surveillance misuse
  4. To provide users with updates, self-diagnosis toolkits, research findings and advocacy materials, user education resources (where consent is granted), in respect to unlawful digital surveillance
  5. To fulfil legal or regulatory obligations applicable to our operations

Processing of personal data will be limited to:

  • Cases where explicit consent of the user has been obtained
  • The processing is required for compliance with legal obligations
  • Legitimate interests that do not prejudice the rights of the data subject

Information Sharing and Disclosure

We do not share your personal information with third parties, organizations, or individuals outside of the Coalition of Spyware accountability except in the following limited cases:

  • With your consent when any sensitive personal information is sought to be shared
  • For external processing, to our affiliates and other trusted service providers under strict data protection agreements and confidentiality and security measures
  • In compliance with legal and regulatory authorities for the detection, prevention and address of fraud, security or technical issues

We do not sell, trade, or share your personal information with third parties for marketing or commercial purposes.

Safeguarding Your Information

Security services have been built on our website to secure your information. We ensure that you are protected from unauthorized access, modifications, divulgence or destruction of the information we hold, including:

  • The use of encryption to protect your data to ensure secure transmission
  • Our information collection, storage and processing practices are revised to prevent unauthorized access to our systems
  • Access to your personal information is restricted to our employees and agents who require the information to process it. All individuals with access are bound by strict confidentiality agreements and may face disciplinary action or termination for non-compliance

Data Retention

Your personal data is retained for as long as necessary to achieve the purposes set out in this policy or as required by law. Sensitive data related to surveillance cases is retained under strict confidentiality protocols and periodic reviews are carried out for anonymization or deletion. You are allowed to correct or update inaccurate data or to request deletion of your data.

Children's Personal Information

Our services are not directed to children under the age of 13, and we do not knowingly collect, use or disclose personal information from children without verifiable parental consent. If such data is found to have been obtained from a minor, we will take reasonable steps to delete it as soon as possible. A parent or guardian who believes that their child has supplied any personal information without their consent should contact us. Parents and guardians are hereby encouraged to take an active role in their children's online activities.

Use of Cookies

We employ the use of cookies on our website to support functionality, enhance security, and gather anonymous usage data. Cookies may be disabled via your browser settings, but this may affect performance on the site.

Spyware Incident Reporting Form

Our website includes a secure, end-to-end encrypted form that allows users to confidentially report suspected surveillance, spyware attacks, privacy violations, or related incidents. Submissions through this form are entirely voluntary.

When you submit an incident report:

  • You may provide identifying information or choose to maintain anonymity
  • The data shared will only be processed for the purpose of assessing, responding to, and investigating the reported incident
  • Information shared will not be disclosed to third party without the consent of the data subject, unless required by law or is necessary to protect vital interests or rights

By using the Incidence Reporting Form, you consent to the collection and use of the information you provide in accordance with this privacy policy.

Membership and Coalition Participation

In furtherance of our commitment towards advancing digital rights and freedom, we may engage in partnerships, alliances or coalitions with other organizations, institutions or advocacy networks. Participation in membership activities is voluntary and subject to this policy.

By choosing to join our coalition or participating in joint initiatives, we may require:

  • Your personal information such as your name, contact details, organizational affiliation, and areas of interest or expertise, in order to facilitate your membership or collaboration
  • The information will be used solely for purposes connected with coordination, communication, invitations to events, joint advocacy, or other coalition-related activities
  • The user's personal information will not be disclosed to other coalition members or third parties without obtaining explicit consent, unless required by law or necessary for facilitating the functionality of the coalition in compliance with confidentiality agreements
  • You may opt out of coalition related communications or request deletion of your membership data at any time by contacting us

Policy Update

This policy may be revised from time to time. Users will be notified of any update on the page with a revised effective date. Continued use of our services constitutes an acknowledgment of the updated policy.

Contact Us

For inquiries and concerns please contact our Data Protection Officer.